openvidu/LIVEKIT-SELFHOST-SERVER.md

# SERVIDOR LIVEKIT SELF-HOSTING DEDICADO

## 🖥️ Setup en servidor dedicado (192.168.1.19)

### Docker Compose para LiveKit Server:
```yaml
# docker-compose-livekit-server.yml
version: '3.8'

services:
  # LiveKit Server Principal
  livekit-server:
    image: livekit/livekit-server:latest
    container_name: livekit-production
    restart: unless-stopped
    ports:
      # API/WebSocket (EXPONER PÚBLICAMENTE)
      - "7880:7880"
      
      # Rango UDP para WebRTC (EXPONER PÚBLICAMENTE) 
      - "50000-50100:50000-50100/udp"  # 100 puertos para ~10 usuarios concurrentes
      
    volumes:
      - ./livekit-production.yaml:/livekit.yaml:ro
      - ./logs:/app/logs
    command: --config /livekit.yaml
    environment:
      - LIVEKIT_CONFIG=/livekit.yaml
    networks:
      - livekit-network
    depends_on:
      - redis

  # Redis para LiveKit
  redis:
    image: redis:7-alpine
    container_name: livekit-redis
    restart: unless-stopped
    ports:
      - "6379:6379"
    command: redis-server --requirepass ${REDIS_PASSWORD:-livekitredis123}
    volumes:
      - redis_data:/data
    networks:
      - livekit-network

  # Nginx SSL Termination (para HTTPS/WSS)
  nginx-livekit:
    image: nginx:alpine
    container_name: livekit-nginx
    restart: unless-stopped
    ports:
      - "443:443"   # HTTPS/WSS (EXPONER PÚBLICAMENTE)
      - "80:80"     # HTTP redirect
    volumes:
      - ./nginx-livekit.conf:/etc/nginx/nginx.conf:ro
      - ./ssl:/etc/nginx/ssl:ro  # Certificados SSL
    depends_on:
      - livekit-server
    networks:
      - livekit-network

volumes:
  redis_data:

networks:
  livekit-network:
    driver: bridge
```

### Configuración LiveKit Production:
```yaml
# livekit-production.yaml
port: 7880
bind_addresses: ["0.0.0.0"]

# API Keys seguros
keys:
  production-key: tu-super-secret-de-32-caracteres-o-mas

# Redis para scaling y persistence
redis:
  address: "redis:6379"
  password: "livekitredis123"
  db: 0

# RTC Configuration para acceso público
rtc:
  # Puertos UDP (coincidir con docker-compose)
  port_range_start: 50000
  port_range_end: 50100
  
  # IP pública/externa (tu IP pública o dominio)
  use_external_ip: true
  external_ip: "TU_IP_PUBLICA_O_DOMINIO"  # ej: "mi-casa.duckdns.org"
  
  # STUN servers para NAT traversal
  ice_servers:
    - urls: ["stun:stun.l.google.com:19302"]
    - urls: ["stun:stun1.l.google.com:19302"]

# Room settings para producción
room:
  auto_create: true
  max_participants: 50
  empty_timeout: 600  # 10 minutos

# Security
webhook:
  # Opcional: webhook para eventos
  api_key: "tu-webhook-key"

# Logging
log_level: info
log_format: json

# Enable egress (grabaciones)
# Automático con Redis
```

### Nginx SSL para LiveKit:
```nginx
# nginx-livekit.conf
events {
    worker_connections 1024;
}

http {
    # Redirect HTTP to HTTPS
    server {
        listen 80;
        server_name _;
        return 301 https://$host$request_uri;
    }

    # HTTPS/WSS Server
    server {
        listen 443 ssl http2;
        server_name _;

        # SSL Configuration
        ssl_certificate /etc/nginx/ssl/cert.pem;
        ssl_certificate_key /etc/nginx/ssl/key.pem;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers HIGH:!aNULL:!MD5;

        # WebSocket support para LiveKit
        location / {
            proxy_pass http://livekit-server:7880;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            
            # Timeouts para WebRTC
            proxy_connect_timeout 60s;
            proxy_send_timeout 60s;
            proxy_read_timeout 60s;
        }
    }
}
```

## 🔥 Firewall en servidor LiveKit:
```bash
# UFW rules para exposición pública segura
sudo ufw allow 80/tcp comment "HTTP redirect"
sudo ufw allow 443/tcp comment "HTTPS/WSS LiveKit"
sudo ufw allow 7880/tcp comment "LiveKit API directo"
sudo ufw allow 50000:50100/udp comment "WebRTC UDP range"

# Opcional: limitar SSH a red local solamente
sudo ufw allow from 192.168.1.0/24 to any port 22

sudo ufw enable
sudo ufw status numbered
```